From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BE77D138334 for ; Wed, 3 Apr 2019 22:35:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7E4C7E091C; Wed, 3 Apr 2019 22:35:33 +0000 (UTC) Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E9894E0919 for ; Wed, 3 Apr 2019 22:35:32 +0000 (UTC) Received: by mail-lj1-x235.google.com with SMTP id y6so266548ljd.12 for ; Wed, 03 Apr 2019 15:35:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gentoo-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=8nEe9ytYAIY9MOOHYQc50cZ8qk0D5l8TOOjOJDcV72M=; b=uaJretoPqIzUn5dZ9eb2JBzvqy/oZZvax5NtHG1tNbs4DizU9Zf/JEtktpTlCX0ZSx 0l2SCKQXX68s/1VdSg9JvyYN8tU29IeDNrx9vsd90Ek+QkaCPw4SQZnF5o5Jt8xNKiUz xZGmSJ9bDNeENe70HW65nH+K+Omdv5gIE1xdzDDkS72iZQAxbfTa7LEFUl4NT/oUisfl 2/bHFZCjTjzM/LvNDuGbdIEADPCFxNS7NFrFGCRhWenZApE8YATSXVo9rvWeFiGd0W06 KbM6n6UCMhcNfz1MEHbs+6CY0oespfABc7LtFqi4Z+M0+5ZIU16K3XwsswUvl5MfSsgg UGmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=8nEe9ytYAIY9MOOHYQc50cZ8qk0D5l8TOOjOJDcV72M=; b=SBvvJ8OLU3reKQdTYXLqNDPrg8JsN4GIQK1bRChxCtRSNDQROgwQu3lA6kZXShPzqN jiCzmFQr3jAi8Eip0Fz5c3SPR9P+9MhNsR6GJi4xw/M3ugVtw9xl+B+tK1/XRxkPVlBK nur1+Hl0sUPvQ/Rsgk18tECg2r4KeLDozwr2cxSAIkzphPeqWb0LAay9TMlYwkLdLIww J+pX0mMIbp1Xze58R/+qFEH0bxXrp/v3LRVXIAySCI2kJPKgHpMSNuj11hjO3YqQxAeD pqx5VzrL5MSJG9NinX6Yi/NE7Kvj7F/+3PKi8+vPAH+wKvCDwYU+6zdo4R4ioLtISAaM ylCQ== X-Gm-Message-State: APjAAAWVXLcY76vL7NaQAqLtcqP9wU4fOUJ7FaHQPxZarBzkBQUkwF+7 G85OaN/9U+kmbijGuTCpD4CZ1E1HtfQfN/F7VyeZLGM8JzI= X-Google-Smtp-Source: APXvYqyTZGoCfejGqY5hrJht5ByIzV6G84LpivVHFxCyjIQbm4yiGSJ9iLPjzfGIMG3Quo7neJSWCgAa8zKwMopfx58= X-Received: by 2002:a2e:6a14:: with SMTP id f20mr1327957ljc.65.1554330930690; Wed, 03 Apr 2019 15:35:30 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <20190401032055.GA9497@linux1.home> <4bbfc34f-335f-5521-310a-b66ffd0d9a9a@gentoo.org> <5e30d658-80c8-b608-1505-dc08db3625bf@gentoo.org> <20190403174315.32615d3b9574571e3ed4a399@gentoo.org> <80ed2e482e96c96555bf4fd9331731c4c9ad0d7f.camel@gentoo.org> In-Reply-To: <80ed2e482e96c96555bf4fd9331731c4c9ad0d7f.camel@gentoo.org> From: Alec Warner Date: Wed, 3 Apr 2019 18:35:18 -0400 Message-ID: Subject: Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14 To: gentoo-project Content-Type: multipart/alternative; boundary="000000000000fcd3830585a7de1c" X-Archives-Salt: 50021e1e-c562-4140-8be8-3f9e0d1012a2 X-Archives-Hash: 73c6420973b029a98a3121132a06ee6c --000000000000fcd3830585a7de1c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Apr 3, 2019 at 2:44 PM Micha=C5=82 G=C3=B3rny w= rote: > On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote: > > Why? We have no way to verify that provided names are valid or that > > provided ID's are valid. At least in my jurisdiction such > > information collected can't be used for legal action or protection > > without following established government-assisted verification > > procedure. In other jurisdictions similar problems may and will > > arise. > > 'Perfect is the enemy of good'. Claiming that you can't be 100% sure > that someone's giving his real name doesn't imply that everyone is using > fake names. Or that it makes no sense to use them. > > > Additional problem is personal data collection, it is > > restricted or heavily regulated in many countries. One can't just > > demand to show an ID via electronic means without following > > complicated data protection procedures which are likely to be > > incompatible between jurisdictions. > > Do you have any proof of that, or are you just basing your comments > on the common concept of misunderstanding GDPR and extending it to match > your private interest? > > > So the real name requirement gives us no real protection from > > possible cases, but creates real and serious problems by kicking > > active developers and contributors from further contributions. > > NP-Hardass is not the only one. > > Do you have any proof of that? As far as I'm concerned, we're pretty > clear that NP-Hardass can't contribute to Gentoo, and that his previous > contributions shouldn't have been accepted in the first place (and why > Trustees agreed to them is another problem). Are you going to take > legal and financial responsibility if his employer claims copyright to > his contributions? And if you say yes, are you going to really take it > or go with the forementioned attitude that we can't legally force you > to? > Under the current policy we do not accept contributions from contributors whose names we believe are not real identities. The current policy says nothing about previous contributions; almost everyone who contributed to Gentoo over the past 20 years did so without signing anything, without identity verification, and with no DCO. Those commits were accepted and continue to be accepted until we decide otherwise. I don't like the way you construe the previous work of hundreds of people who contributed to the project; I find the idea that we should never have accepted these contributions to be pretty offensive. You are free to blame the organization for having bad policies (and you do and I'm the board President and I will 1000% take the blame) but don't for a minute blame people who are just trying to contribute and following the policies that the project had at the time. As you wrote above "perfect is the enemy of the good" and if we rejected the previous 20 years of work we'd have basically nothing, so we accept that risk as a cost of continuing to exist as a Foundation. No business operates with zero risk. > > > I invited some gifted people with > > high quality out-of-tree work to become contributors or developers, > > but due to hostile attitude towards anonymous contributors they > > can't join. And people want to stay anonymous for good reasons, > > because they are engaged with privacy oriented development. > > This is a very vague statement that sounds like serious overstatement > with no proof, aimed purely to force emotional reaction to support your > proposal. If you really want to propose something meaningful, I'd > really appreciate if you used real evidence to support it rather than > vague claims. > > > We are loosing real people, real contributions and real community. > > What for? For solving imaginary problems with inappropriate tools. > > > > Thank you for telling us that copyright is an imaginary problem. > Your words are like knives, and this leads to a perception of antagonism. 1) The policies of the project currently prioritize a knowledge of where commits come from in order to eventually reduce liability risk for the project. 2) I firmly do not believe the project has anything against anonymous / pseudonymous contributors (nor should it; if you think it does I'm happy to amend bylaws, GLEPs, and any other charter documents to state that we have nothing against that type of contribution.) 3) The current policy makes it difficult to contribute in this way; because we have this trade-off we have made where we want to know where commits come from for legal reasons.) Its OK to say "Hi X, we cannot accept your anonymous / pseudonymous contribution because of this policy, and we made this policy to solve a problem of copyright liability for the organization." I don't think its OK to say "Hi X, its completely unreasonable to want to contribute to Gentoo in an Anonymous or Pseudonymous manner; please file your identity papers to me immediately!" My reading is your comments are closer to the latter than the former; I'm just not sure why that is. I think its perfectly sane to ask "how can we build an organization where we can accept pseudonymous contributions and contain our liability for code from unverified contributors?" and have people interested in that write up and vet proposals. I get that its a complex and difficult problem area; maybe none of the proposals will work! but that doesn't meant we shouldn't try to do it. > > -- > Best regards, > Micha=C5=82 G=C3=B3rny > > --000000000000fcd3830585a7de1c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Wed, Apr 3, 2019 at 2:44 PM Micha=C5= =82 G=C3=B3rny <mgorny@gentoo.org> wrote:
On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenk= o wrote:
> Why? We have no way to verify that provided names are valid or that > provided ID's are valid. At least in my jurisdiction such
> information collected can't be used for legal action or protection=
> without following established government-assisted verification
> procedure. In other jurisdictions similar problems may and will
> arise.

'Perfect is the enemy of good'.=C2=A0 Claiming that you can't b= e 100% sure
that someone's giving his real name doesn't imply that everyone is = using
fake names.=C2=A0 Or that it makes no sense to use them.

> Additional problem is personal data collection, it is
> restricted or heavily regulated in many countries. One can't just<= br> > demand to show an ID via electronic means without following
> complicated data protection procedures which are likely to be
> incompatible between jurisdictions.

Do you have any proof of that, or are you just basing your comments
on the common concept of misunderstanding GDPR and extending it to match your private interest?

> So the real name requirement gives us no real protection from
> possible cases, but creates real and serious problems by kicking
> active developers and contributors from further contributions.
> NP-Hardass is not the only one.

Do you have any proof of that?=C2=A0 As far as I'm concerned, we're= pretty
clear that NP-Hardass can't contribute to Gentoo, and that his previous=
contributions shouldn't have been accepted in the first place (and why<= br> Trustees agreed to them is another problem).=C2=A0 Are you going to take legal and financial responsibility if his employer claims copyright to
his contributions?=C2=A0 And if you say yes, are you going to really take i= t
or go with the forementioned attitude that we can't legally force you to?


You are free to blame the organization for having bad policies (and= you do and I'm the board President and I will 1000% take the blame) bu= t don't for a minute blame people who are just trying to contribute and= following the policies that the project had at the time. As you wrote abov= e "perfect is the enemy of the good" and if we rejected the previ= ous 20 years of work we'd have basically nothing, so we accept that ris= k as a cost of continuing to exist as a Foundation. No business operates wi= th zero risk.
=C2=A0

> I invited some gifted people with
> high quality out-of-tree work to become contributors or developers, > but due to hostile attitude towards anonymous contributors they
> can't join. And people want to stay anonymous for good reasons, > because they are engaged with privacy oriented development.

This is a very vague statement that sounds like serious overstatement
with no proof, aimed purely to force emotional reaction to support your
proposal.=C2=A0 If you really want to propose something meaningful, I'd=
really appreciate if you used real evidence to support it rather than
vague claims.

> We are loosing real people, real contributions and real community.
> What for? For solving imaginary problems with inappropriate tools.
>

Thank you for telling us that copyright is an imaginary problem.

Your words are like knives, and this leads to a p= erception of antagonism.

1) The policies of the pr= oject currently prioritize a knowledge of where commits come from in order = to eventually reduce liability risk for the project.
2) I firmly = do not believe the project has anything against anonymous / pseudonymous co= ntributors (nor should it; if you think it does I'm happy to amend byla= ws, GLEPs, and any other charter documents to state that we have nothing ag= ainst that type of contribution.)
3) The current policy makes it = difficult to contribute in this way; because we have this trade-off we have= made where we want to know where commits come from for legal reasons.)

Its OK to say "Hi X, we cannot accept your = anonymous / pseudonymous contribution because of this policy, and we made t= his policy to solve a problem of copyright liability for the organization.&= quot;
I don't think its OK to say "Hi X, its completely = unreasonable to want to contribute to Gentoo in an Anonymous or Pseudonymou= s manner; please file your identity papers to me immediately!"

My reading is your comments are closer to the latter than= the former; I'm just not sure why that is.

<= div>I think its perfectly sane to ask "how can we build an organizatio= n where we can accept pseudonymous contributions and contain our liability = for code from unverified contributors?" and have people interested in = that write up and vet proposals. I get that its a complex and difficult pro= blem area; maybe none of the proposals will work! but that doesn't mean= t we shouldn't try to do it.

--
Best regards,
Micha=C5=82 G=C3=B3rny

--000000000000fcd3830585a7de1c--